Azure SQL Database 和 SQL 資料倉儲的資料探索與分類Azure SQL Database and SQL Data Warehouse data discovery & classification

資料探索與分類 (目前處於預覽階段) 提供內建於 Azure SQL Database 的進階功能,可用於探索分類標記 & 保護資料庫中的敏感性資料。Data discovery & classification (currently in preview) provides advanced capabilities built into Azure SQL Database for discovering, classifying, labeling & protecting the sensitive data in your databases. 對於最具敏感性的資料 (商業、財務、醫療保健與個人識別資料 (PII) 等) 進行探索與分類,在組織的資訊保護方面扮演著關鍵角色。Discovering and classifying your most sensitive data (business, financial, healthcare, personally identifiable data (PII), and so on.) can play a pivotal role in your organizational information protection stature. 它可以作為以下的基礎結構:It can serve as infrastructure for:

  • 協助符合資料隱私標準和法規合規性需求。Helping meet data privacy standards and regulatory compliance requirements.
  • 各種安全性案例,例如針對敏感性資料異常存取的監視 (稽核) 及警示。Various security scenarios, such as monitoring (auditing) and alerting on anomalous access to sensitive data.
  • 控制對包含高度敏感性資料之資料庫的存取,並強化安全性。Controlling access to and hardening the security of databases containing highly sensitive data.

資料探索與分類是一部分進階的資料安全性(ADS) 供應項目,也就是 SQL 的進階安全性功能的整合的套件。Data discovery & classification is part of the Advanced Data Security (ADS) offering, which is a unified package for advanced SQL security capabilities. 資料探索與分類可以透過中央 SQL ADS 入口網站存取及管理。data discovery & classification can be accessed and managed via the central SQL ADS portal.

注意

這份文件與 Azure SQL Database 和 Azure SQL 資料倉儲相關。This document relates to Azure SQL Database and Azure SQL Data Warehouse. 為了簡單起見,參考 SQL Database 和 SQL 資料倉儲時都會使用 SQL Database。For simplicity, SQL Database is used when referring to both SQL Database and SQL Data Warehouse. SQL Server (內部部署),請參閱 < SQL 資料探索和分類For SQL Server (on premises), see SQL Data Discovery and Classification.

什麼是資料探索與分類What is data discovery & classification

資料探索與分類導入一組進階服務和新的 SQL 功能,構成目標是保護資料而不只是資料庫的全新 SQL 資訊保護典範:Data discovery & classification introduces a set of advanced services and new SQL capabilities, forming a new SQL Information Protection paradigm aimed at protecting the data, not just the database:

  • 探索與建議Discovery & recommendations

    分類引擎會掃描您的資料庫,並識別包含可能是敏感性資料的資料行。The classification engine scans your database and identifies columns containing potentially sensitive data. 接著,它能提供輕鬆的方式,讓您透過 Azure 入口網站檢閱並套用適當的分類建議。It then provides you an easy way to review and apply the appropriate classification recommendations via the Azure portal.

  • 標記Labeling

    使用導入 SQL 引擎的全新分類中繼資料屬性,可以在資料行上持續標記敏感性分類標籤。Sensitivity classification labels can be persistently tagged on columns using new classification metadata attributes introduced into the SQL Engine. 此中繼資料還可利用在進階的敏感性稽核和保護案例上。This metadata can then be utilized for advanced sensitivity-based auditing and protection scenarios.

  • 查詢結果集敏感度Query result set sensitivity

    為執行稽核,查詢結果集的敏感度是即時計算的。The sensitivity of query result set is calculated in real time for auditing purposes.

  • 可見性Visibility

    資料庫分類狀態可以在入口網站的詳細儀表板中檢視。The database classification state can be viewed in a detailed dashboard in the portal. 此外,您可以下載 Excel 格式的報表以用於合規性、稽核用途及其他需求。Additionally, you can download a report (in Excel format) to be used for compliance & auditing purposes, as well as other needs.

針對機密資料行進行探索、分類與設定標籤Discover, classify & label sensitive columns

下一節描述關於探索、分類及標記資料庫中包含敏感性資料之資料行,以及檢視資料庫目前的分類狀態和匯出報告的步驟。The following section describes the steps for discovering, classifying, and labeling columns containing sensitive data in your database, as well as viewing the current classification state of your database and exporting reports.

分類包含兩個中繼資料屬性:The classification includes two metadata attributes:

  • 標籤:主要分類屬性,用來定義儲存在資料行中的資料敏感度等級。Labels – The main classification attributes, used to define the sensitivity level of the data stored in the column.
  • 資訊類型:為儲存在資料行中的資料類型提供額外的細微性。Information Types – Provide additional granularity into the type of data stored in the column.

定義及自訂您的類別分類法Define and customize your classification taxonomy

SQL 資料探索與分類隨附一組內建的敏感度標籤與一組內建的資訊類型和探索邏輯。SQL data discovery & classification comes with a built-in set of sensitivity labels and a built-in set of information types and discovery logic. 您現在可以自訂此分類法,並定義專門針對您的環境建構之類別的集合和順位。You now have the ability to customize this taxonomy and define a set and ranking of classification constructs specifically for your environment.

類別分類法的定義及自訂會在您整個 Azure 租用戶的一個集中位置完成。Definition and customization of your classification taxonomy is done in one central place for your entire Azure tenant. 該位置位於 Azure 資訊安全中心中,做為您的安全性原則的一部分。That location is in Azure Security Center, as part of your Security Policy. 只有具備租用戶根管理群組系統管理權限的人可以執行此工作。Only someone with administrative rights on the Tenant root management group can perform this task.

作為資訊保護原則管理的一部分,您可以定義自訂標籤、對它們進行排名,並將它們與一組選取的資訊類型相關聯。As part of the Information Protection policy management, you can define custom labels, rank them, and associate them with a selected set of information types. 您也可以新增自己的自訂資訊類型,並使用字串模式對其進行設定,字串模式將新增至探索邏輯中,以便在資料庫中識別此類型的資料。You can also add your own custom information types and configure them with string patterns, which are added to the discovery logic for identifying this type of data in your databases. 資訊保護原則操作指南 (英文) 中深入了解有關自訂及管理您原則的詳細資訊。Learn more about customizing and managing your policy in the Information Protection policy how-to guide.

一旦定義整個租用戶的原則,您就可以使用您的自訂原則,繼續對個別資料庫進行分類。Once the tenant-wide policy has been defined, you can continue with the classification of individual databases using your customized policy.

將您的 SQL Database 分類Classify your SQL Database

  1. 移至 Azure 入口網站Go to the Azure portal.

  2. 瀏覽至 [Azure SQL Database] 窗格中 [安全性] 標題下的 [進階資料安全性] 。Navigate to Advanced Data Security under the Security heading in your Azure SQL Database pane. 按一下以啟用 [進階資料安全性],然後按一下 [資料探索與分類 (預覽)] 卡片。Click to enable advanced data security, and then click on the Data discovery & classification (preview) card.

    掃描資料庫

  3. [概觀] 索引標籤包含資料庫目前分類狀態的摘要,包括所有已分類資料行的詳細清單,您也可以篩選這些資料行來只檢視特定的結構描述組件、資訊類型與標籤。The Overview tab includes a summary of the current classification state of the database, including a detailed list of all classified columns, which you can also filter to view only specific schema parts, information types and labels. 如果您尚未分類任何資料行,請跳至步驟 5If you haven’t yet classified any columns, skip to step 5.

    目前分類狀態的摘要

  4. 若要下載 Excel 格式的報表,請按一下視窗頂端功能表中的 [匯出] 選項。To download a report in Excel format, click on the Export option in the top menu of the window.

    匯出至 Excel

  5. 若要開始分類資料,請按一下視窗頂端的 [分類] 索引標籤。To begin classifying your data, click on the Classification tab at the top of the window.

    分類您的資料

  6. 分類引擎會掃描您的資料庫,以尋找包含可能是敏感性資料的資料行,並提供 [建議的資料行分類] 清單。The classification engine scans your database for columns containing potentially sensitive data and provides a list of recommended column classifications. 檢視並套用分類建議:To view and apply classification recommendations:

    • 若要檢視建議的資料行分類清單,請按一下視窗底部的建議面板:To view the list of recommended column classifications, click on the recommendations panel at the bottom of the window:

      分類您的資料

    • 檢閱建議清單:若要接受針對特定資料行的建議,請選取相關資料列左側資料行中的核取方塊。Review the list of recommendations – to accept a recommendation for a specific column, check the checkbox in the left column of the relevant row. 您也可以選取建議資料表標頭中的核取方塊,將「所有建議」 標記為接受。You can also mark all recommendations as accepted by checking the checkbox in the recommendations table header.

      檢閱建議清單

    • 若要套用選取的建議,請按一下藍色的 [接受選取的建議] 按鈕。To apply the selected recommendations, click on the blue Accept selected recommendations button.

      套用建議

  7. 您也可以選擇將資料行「手動分類」 ,或同時採用手動分類和建議分類:You can also manually classify columns as an alternative, or in addition, to the recommendation-based classification:

    • 按一下視窗頂端功能表中的 [新增分類] 。Click on Add classification in the top menu of the window.

      手動新增分類

    • 在開啟的內容視窗中,選取您想分類的 [結構描述] > [資料表] > [資料行],以及資訊類型和敏感度標籤。In the context window that opens, select the schema > table > column that you want to classify, and the information type and sensitivity label. 然後按一下內容視窗底部的藍色 [新增分類] 按鈕。Then click on the blue Add classification button at the bottom of the context window.

      選取要分類的資料行

  8. 若要完成分類,並持續以新的分類中繼資料標記資料庫資料行,請按一下視窗頂端功能表中的 [儲存] 。To complete your classification and persistently label (tag) the database columns with the new classification metadata, click on Save in the top menu of the window.

    儲存

對敏感性資料的存取進行稽核Auditing access to sensitive data

資訊保護範例的重要層面是能夠監視對敏感性資料的存取。An important aspect of the information protection paradigm is the ability to monitor access to sensitive data. 我們已強化 Azure SQL Database 稽核,並在稽核記錄中包含新欄位 data_sensitivity_information,其中會記錄查詢所傳回之實際資料的敏感度分類 (標籤)。Azure SQL Database Auditing has been enhanced to include a new field in the audit log called data_sensitivity_information, which logs the sensitivity classifications (labels) of the actual data that was returned by the query.

稽核記錄檔

管理使用 T-SQL 的資料分類Manage data classification using T-SQL

您可以使用 T-SQL 新增/移除資料行分類,以及擷取整個資料庫的所有分類。You can use T-SQL to add/remove column classifications, as well as retrieve all classifications for the entire database.

注意

使用 T-SQL 管理標籤時,系統不會驗證新增到資料行的標籤是否存在於組織資訊保護原則 (顯示於入口網站建議中的那組標籤)。When using T-SQL to manage labels, there is no validation that labels added to a column exist in the organizational information protection policy (the set of labels that appear in the portal recommendations). 因此,這項驗證需由您執行。It is therefore up to you to validate this.

您也可以使用 REST API 以程式設計方式管理分類。You can also use REST APIs to programmatically manage classifications. 已發行的 REST API 支援下列作業:The published REST APIs support the following operations:

管理資料探索和使用 Azure PowerShell 的分類Manage data discovery and classification using Azure PowerShell

您可以使用 PowerShell 取得所有建議的資料行中的 Azure SQL database 和受控執行個體。You can use PowerShell to get all the recommended columns in an Azure SQL database and a managed instance.

適用於 Azure SQL database PowerShell CmdletPowerShell Cmdlets for Azure SQL database

受控執行個體的 PowerShell CmdletPowerShell Cmdlets for managed instance

權限Permissions

下列的內建角色可以讀取 Azure SQL database 的資料分類: OwnerReaderContributorSQL Security ManagerUser Access AdministratorThe following built-in roles can read the data classification of an Azure SQL database: Owner, Reader, Contributor, SQL Security Manager and User Access Administrator.

下列的內建角色可以修改 Azure SQL database 的資料分類: OwnerContributorSQL Security ManagerThe following built-in roles can modify the data classification of an Azure SQL database: Owner, Contributor, SQL Security Manager.

深入了解適用於 Azure 資源的 RBACLearn more about RBAC for Azure resources

接續步驟Next steps